Editor’s Note — DCC.
This brief summarises 《DEXC+专栏|个人信息交易危机:《网数条例》下被忽视的PIA能否构建交易合规防线?》 by Wang Senpeng (王森鹏), compliance manager at Shenzhen Data Exchange, writing for the DEXC+ think-tank column. Wang’s piece is the clearest practitioner-level account DCC has seen of how the Network Data Security Management Regulations change the PIA calculus specifically for data-product transactions — as opposed to internal processing. The DEXC+ column is published by one of China’s principal state-backed data trading venues, which makes this analysis particularly authoritative: Shenzhen Data Exchange is not theorising about the data-element market, it is the infrastructure the market runs on.
Wang frames his analysis around three compliance planes — subject (who is transacting), subject matter (what is being sold), and circulation (how it moves, including cross-border) — and works through the PIA obligations that attach at each plane under both PIPL and the Regulations. DCC’s summary preserves that structure and adds the overseas-counsel takeaway. All footnote citations in the source are preserved as textual attribution; we do not independently verify article numbers cited against the full statutory text.
The “personal-information trading crisis” the title refers to
Wang opens with the observation that China’s “Data Twenty Articles” (数据二十条, the State Council’s 2022 foundational framework for a data-element market) expressly conditions the construction of a data-element market on protecting personal information and commercial secrets. Yet in practice, Wang argues, the personal-information protection impact assessment (个人信息保护影响评估, commonly abbreviated PIA) is an under-used instrument. Enterprises tend to trigger a PIA only when they face hard regulatory pressure — most commonly an imminent cross-border transfer — and ignore the obligation in purely domestic trading contexts.
The “crisis” in the title is the compliance gap this creates. Personal-information data products now circulate routinely through data exchanges, but the legal infrastructure — including the PIA — has not been integrated into standard transaction workflows. The Network Data Security Management Regulations (网络数据安全管理条例, colloquially the “Network Data Regs” or 网数条例), Wang argues, provide the granularity needed to close that gap; the question is whether market participants will use them.
What a PIA is and why it matters in a trading context
Drawing on the national standard GB/T 39335-2020 (《信息安全技术 个人信息安全影响评估》), Wang defines a PIA as a process that: examines the legality and compliance of personal-information-processing activities; assesses the risk of harm to data subjects’ lawful rights and interests; and evaluates the effectiveness of protective measures. The definition is procedural rather than outcome-based — a PIA is a structured inquiry, not a pass-or-fail test.
In a trading context, Wang identifies four functions that a PIA serves beyond bare legal compliance:
- Risk mirror (明鉴宝镜): a PIA surfaces compliance gaps in a data product before it is widely circulated, reducing the handler’s exposure to liability for distributing non-compliant data.
- Listing accelerator (上市引擎): the evaluation dimensions in a PIA substantially overlap with the listing-compliance review that data exchanges conduct before admitting a product to trading. Conducting a PIA pre-transaction therefore shortens the exchange’s own review process.
- Self-certification (自证书): a completed PIA report functions as documentary evidence of compliance readiness — the kind of record a handler can produce to a regulator or counterparty on demand.
- Compliance signal (合规名片): for sellers, a PIA report signals to buyers and data subjects that the product’s provenance has been assessed, increasing competitive standing in a market where trust is a scarce commodity.
When a PIA is legally required — the three trigger planes
Wang structures the statutory trigger analysis around three planes drawn from Shenzhen’s draft local standard on data-trading compliance assessment (《数据交易合规评估规范(征求意见稿)》): subject compliance (主体合规), subject-matter compliance (标的合规), and circulation compliance (流通合规). This is a more granular framework than the bare PIPL Article 55 list, and it is worth walking through each plane.
Subject compliance. Certain regulated sectors carry sector-specific PIA obligations before any transaction. Wang’s leading example is online education: guidance published jointly by the Ministry of Education and five other departments required platforms storing personal information of 1 million or more users to complete a PIA. On the buyer side, if a data buyer acquires a product that pushes its stored personal-information count to or above that threshold, the buyer’s PIA obligation is triggered independently.
Subject-matter compliance. Under PIPL Article 55(1), handling sensitive personal information (敏感个人信息) requires a PIA before processing. For data products, Wang notes that sensitivity is not assessed statically at the point of collection — if a buyer’s existing data holdings, combined with a newly acquired product, cause the aggregated dataset’s risk level to increase to the point where disclosure or misuse could harm data subjects’ dignity, personal safety, or financial security, the resulting combined dataset must be treated as sensitive personal information, and the buyer must complete a PIA. Wang cites financial data products containing bank account information as a straightforward example of a product that is sensitive on its face.
A second category under subject-matter compliance covers data products built through automated decision-making (自动化决策): products where the seller has used automated analysis of individuals’ behavioural patterns, interests, or economic, health, or credit status to reach decisions, and has packaged that output as a product. PIPL Article 55(2) requires a PIA before using personal information in automated decision-making. Wang flags marketing data products — for instance, user-shopping-behaviour analysis products built from e-commerce platform data — as the most common commercial case. Shanghai’s trial guidelines on algorithmic applications in online marketing specifically require a pre-activity PIA for this category.
A third sub-category under subject-matter compliance is delegated processing (委托处理): where a buyer purchases a data service and the arrangement constitutes a delegation of personal-information processing to the seller, PIPL Article 55(3) requires a pre-transaction PIA. Wang illustrates this with the express-delivery sector: parcel-delivery companies routinely delegate collection, customs clearance, and last-mile operations to third parties, creating chains of personal-information delegation that have generated a pattern of data-leak incidents. The Ministry of Transport’s 2023 Express Delivery Market Management Measures require express companies that delegate user personal-information processing to complete a PIA beforehand and supervise the delegate.
Circulation compliance. Two triggers apply at the circulation plane. First, if the data product’s fields contain information relating to identified or identifiable natural persons — regardless of whether that information was originally public — the seller’s act of delivering the product to a buyer constitutes a disclosure of personal information to a third party, triggering PIPL Article 55(3) and requiring a PIA. Second, if the product is destined for cross-border circulation, both PIPL Article 55(4) and the Regulations on Promoting and Regulating Cross-Border Data Flows require a PIA before the cross-border transaction.
What the Network Data Security Management Regulations add
Wang’s central argument is that the Network Data Security Management Regulations sharpen the evaluation content of a PIA in ways that matter for data-product transactions. Although the Regulations nominally govern “network data processing activities,” Wang notes the industry consensus that “network” (网络) should be read broadly to include both public and private networks, giving the Regulations effective coverage over substantially all data products in practice.
Three sets of additions are particularly significant:
The dual-list privacy policy requirement. Article 149 of the Regulations introduces, for the first time at the administrative-regulation level, a “dual-list” (双清单) system for privacy policies. Many personal-information data products depend on user agreements — typically a privacy policy — as the mechanism for obtaining consent. The dual-list requirement changes how privacy policies must be structured and what they must disclose. In a PIA context, the question of whether a data product’s consent chain satisfies the new dual-list requirement becomes a mandatory evaluation item. The Regulations also introduce a requirement to specify retention-period determination methods, adding a new element to the consent and collection-legality assessment.
Web-scraping as a regulated collection method. Articles 18 and 24 of the Regulations address web crawlers (爬虫) as a data collection modality. For data products assembled through scraping, a PIA must now assess: whether the crawler caused harm to network services (including whether it unlawfully accessed another operator’s network); whether non-essential personal information or personal information collected without lawful consent was deleted or anonymised; and, if statutory retention periods have not yet expired or technical anonymisation is not feasible, whether processing was suspended (beyond storage and necessary security measures).
Delegated-processing agreement standards. Under Article 12 of the Regulations, where a data product involves delegated personal-information processing, the parties must have executed a data-processing agreement, and the PIA must evaluate whether the agreement’s content meets statutory requirements and whether processing records have been retained for at least three years. The three-year minimum record-keeping period is a specific obligation the Regulations add to the PIPL framework.
The three PIA evaluation dimensions in a trading context
Wang then consolidates the evaluation content into three dimensions: legality (合法维度), security (安全维度), and rights protection (权益保障维度).
Legality dimension. The PIA must trace the authorisation chain of all personal information in the data product across its full lifecycle. Collection-stage evaluation covers purpose specification, consent, PIPL Article 13 lawful bases, the dual-list privacy-policy requirements, retention-period methodology, and, for scraping, the crawler-specific obligations described above.
Security dimension. The security evaluation focuses on the effectiveness, legality, and proportionality of protective measures. Key items include: whether the handler has implemented encryption, backup, access control, and authentication (Articles 9 and 11 of the Regulations); where de-identification was applied during processing, whether re-identification risk has been assessed; whether data-transmission channels are closed after a transaction terminates or the contract expires; for cross-border products, whether the overseas buyer’s security capacity (management and technical infrastructure) has been assessed; and whether the data product’s storage environment is reliably isolated from other storage areas.
Rights-protection dimension. This dimension assesses the impact of the data product and its circulation on data subjects’ lawful interests — including restrictions on individual autonomy, differential treatment, reputational harm, psychological harm, and financial or personal-safety harm. Concrete evaluation items include: whether accessible complaint and reporting channels exist and are clearly publicised; whether the processing and trading activities could adversely affect data subjects’ lawful interests; and, for cross-border transactions, whether the receiving country’s personal-information protection regime is below China’s standards, and the risks of alteration, destruction, leak, loss, or unlawful use during and after the cross-border transfer.
Why overseas counsel should care
- The PIA is now an admission requirement, not a formality. Wang’s analysis makes clear that, at Shenzhen Data Exchange, PIA evaluation content substantially overlaps with the exchange’s own listing-compliance review. For overseas companies acquiring personal-information data products from Chinese exchanges, a counterparty’s failure to have completed a PIA is a due-diligence red flag and a potential barrier to listing — not merely an internal governance gap on the Chinese side.
- The three-year record-keeping obligation has extraterritorial implications. Where a data product involves delegated processing and a cross-border delivery, Article 12 of the Network Data Security Management Regulations requires processing records to be retained for at least three years. Overseas buyers who receive delegated-processing data products should confirm that this obligation has been met on the Chinese side, and consider whether their own onward-processing arrangements trigger analogous record-keeping duties under PIPL.
- Sensitivity is dynamic, not static. Wang’s point that a data product can become “sensitive” at the buyer’s end — through aggregation with the buyer’s existing holdings — is an important due-diligence principle for foreign acquirers. A dataset that is non-sensitive on its face at the point of sale may trigger PIA obligations and heightened protection duties once it is combined with data the buyer already holds.
- Cross-border PIA obligations run in parallel. Both PIPL Article 55(4) and the Regulations on cross-border data flows require a PIA before cross-border delivery. This PIA obligation is separate from — and in addition to — the security assessment or standard contract obligations that apply to cross-border transfers under the standard regime. Overseas counsel advising on data-import transactions involving Chinese personal-information data products should confirm that the selling party has completed both tracks.
DCC sources
- Original: 王森鹏 (Wang Senpeng), 《DEXC+专栏|个人信息交易危机:《网数条例》下被忽视的PIA能否构建交易合规防线?》, 深圳数据交易所 DEXC+ 专栏 WeChat Official Account (source).
- Key instruments: Network Data Security Management Regulations (网络数据安全管理条例); PIPL (个人信息保护法), Article 55.
- Referenced standards: GB/T 39335-2020 《信息安全技术 个人信息安全影响评估》; 《网络安全标准实践指南——敏感个人信息识别指南》.
- Referenced local standard: 深圳市地方标准《数据交易合规评估规范(征求意见稿)》.
- Sector instruments cited by Wang: Ministry of Education et al. online-education notification (2021); Ministry of Transport, Express Delivery Market Management Measures (2023); Shanghai Municipal Administration for Market Regulation, Trial Guidelines on Algorithmic Applications in Online Marketing.
This is an editorial summary, not a translation of Wang Senpeng’s piece. Structural framings and operational extrapolations are DCC’s. Any simplification, error of emphasis, or attribution of article numbers reflects DCC’s summarisation and has not been verified against the full statutory text. Not legal advice.